8dd1542d25974ef3a081f89875e03b51963498d598c132512f3ee89ee130c11c

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaCleaner.exe
Size

6.6MB
MD5

2e0cd344ecb257ab2f4462484a30f0e8
SHA1

48cd10b9f57ff0dfec2d26258799d2f7965e8b6c
SHA256

8dd1542d25974ef3a081f89875e03b51963498d598c132512f3ee89ee130c11c
SHA512

488fede75c054e2bc63b35eab0cb45b24897298c88c6be19212ed38d25ebc107a8870615dee645c623ae1c823e57cf68b494cd184a2d0db69d4a1115f7f614ec
SSDEEP

196608:/LX4FMIZETSwjPePdrQJ/BKavgcVqwhF5G:/bQETSwvJ0av3c0Fs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
4716	NovaCleaner.exe
4716	NovaCleaner.exe
4716	NovaCleaner.exe
4716	NovaCleaner.exe
4716	NovaCleaner.exe
4716	NovaCleaner.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4716	1628	NovaCleaner.exe	24
PID 1628 wrote to memory of 4716	1628	NovaCleaner.exe	24
PID 4716 wrote to memory of 1424	4716	NovaCleaner.exe	108
PID 4716 wrote to memory of 1424	4716	NovaCleaner.exe	108
PID 4716 wrote to memory of 2748	4716	NovaCleaner.exe	109
PID 4716 wrote to memory of 2748	4716	NovaCleaner.exe	109
PID 4716 wrote to memory of 1972	4716	NovaCleaner.exe	95
PID 4716 wrote to memory of 1972	4716	NovaCleaner.exe	95
PID 4716 wrote to memory of 3936	4716	NovaCleaner.exe	107
PID 4716 wrote to memory of 3936	4716	NovaCleaner.exe	107
PID 2748 wrote to memory of 4016	2748	cmd.exe	106
PID 2748 wrote to memory of 4016	2748	cmd.exe	106
PID 4716 wrote to memory of 1940	4716	NovaCleaner.exe	105
PID 4716 wrote to memory of 1940	4716	NovaCleaner.exe	105
PID 1424 wrote to memory of 1348	1424	cmd.exe	104
PID 1424 wrote to memory of 1348	1424	cmd.exe	104
PID 1972 wrote to memory of 1684	1972	cmd.exe	103
PID 1972 wrote to memory of 1684	1972	cmd.exe	103
PID 3936 wrote to memory of 4124	3936	cmd.exe	102
PID 3936 wrote to memory of 4124	3936	cmd.exe	102
PID 1940 wrote to memory of 4540	1940	cmd.exe	101
PID 1940 wrote to memory of 4540	1940	cmd.exe	101
PID 4716 wrote to memory of 900	4716	NovaCleaner.exe	96
PID 4716 wrote to memory of 900	4716	NovaCleaner.exe	96
PID 4716 wrote to memory of 1796	4716	NovaCleaner.exe	99
PID 4716 wrote to memory of 1796	4716	NovaCleaner.exe	99
PID 900 wrote to memory of 3768	900	cmd.exe	98
PID 900 wrote to memory of 3768	900	cmd.exe	98
PID 1796 wrote to memory of 2704	1796	cmd.exe	97
PID 1796 wrote to memory of 2704	1796	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\NovaCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\NovaCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\NovaCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\NovaCleaner.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\Classes /v DotnetRuntimeVariables /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_CURRENT_USER\SOFTWARE\Classes /v DotnetRuntimeVariables /f
      4⤵
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Defaults /v setup_theme /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\reg.exe
      REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Defaults /v setup_theme /f
      4⤵
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Health\Status /v CurrentStatus /f >nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications /v DotnetRuntimeVariables /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\AppDataLow /v DotnetRuntimeVariables /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft /v DotnetRuntimeVariables /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG DELETE HKEY_CURRENT_USER\SOFTWARE\Wow6432Node /v DotnetRuntimeVariables /f >nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Health\Status /v CurrentStatus /f
1⤵
PID:2704

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications /v DotnetRuntimeVariables /f
1⤵
PID:4540

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\SOFTWARE\AppDataLow /v DotnetRuntimeVariables /f
1⤵
PID:4124

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft /v DotnetRuntimeVariables /f
1⤵
PID:1348

C:\Windows\system32\reg.exe
REG DELETE HKEY_CURRENT_USER\SOFTWARE\Wow6432Node /v DotnetRuntimeVariables /f
1⤵
PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16282\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16282\VCRUNTIME140.dll

Filesize
41KB

MD5
6a7e77057eea4ed4922d3d2250d886cc

SHA1
d78f3c65b5e622778b361170b6521866948aad02

SHA256
3e16d96edf24c1c969ff989f32e6c48e950a2d5c1698c51f442750559fbc908b

SHA512
d8eca1ae5925052718fdad0019f2363357ae5d2639a84924c17e4624b023dc45cf50eae2626424a56a2750458a2bec6ef52d7a60ff57f2a317cb95dd93be87b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16282\base_library.zip

Filesize
92KB

MD5
8261a19050c444ee99b2f97f4c258a59

SHA1
a0b02fb7e8f5005c492de8e4741c375e39ac4565

SHA256
27eb7774f9159940ca809da17d79b237a6b17b50cd393032d6ad55a38e3ee529

SHA512
98edfbd100aee316432bba10da35ba26657bb97b5f26f635917292783233a72018f1197b858c90ed0030262efcfa1dbe461bda522e621518ed7c09bccd4abb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16282\python311.dll

Filesize
162KB

MD5
f12cc1b55925b3a08f6da376bdfccb20

SHA1
787ce28ecde001fafa592dc708e1fe60d3da6755

SHA256
9fd1a4f3a22e06607918213b68b6444fdb1ea4b25cc34f13837d106ad9137b3e

SHA512
cd7de23b2f2b8362df9d209cd906ec0e754a6199a693d51a8b2bb93add5eab0df3dbdb6096e7fbbbe13e4e3875027b52c1dbd266435c06b476ffaf79a134ac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16282\python311.dll

Filesize
124KB

MD5
ef8af8761e49f927a3b82e3244f32527

SHA1
75c04d02260291f9ec4680c2de0104869d9f765a

SHA256
3418e5c3195d512d50392d47d7c6a7c9a5f00a3f9107d426bb7c99672436c309

SHA512
80ea31ebf81208b84bc4090f38db2187377ed7cbbcbb31d482015483bcd43ae775e76b45b56b7cd49bdc99b1025ae5ecba989dbb1e4e8498498c46f6581b16fe

Download Submit
memory/1628-0-0x00007FF76F7E0000-0x00007FF76F838000-memory.dmp

Filesize
352KB

Download
memory/1628-38-0x00007FF76F7E0000-0x00007FF76F838000-memory.dmp

Filesize
352KB

Download
memory/4716-29-0x00007FF76F7E0000-0x00007FF76F838000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads